Docs / Enrollment / Mobile / Apple Profiles

iOS Profiles

iOS Profiles (Configuration Profiles) allow you to configure settings and enforce policies on managed iPhone and iPad devices. Profiles are delivered as signed .mobileconfig files through MDM commands or the ZSync app.

Overview

iOS Configuration Profiles provide a standardised way to configure device settings. Once installed, profiles enforce their settings until removed.

Requirements

  • Devices must be enrolled with ZSync
  • For full MDM capabilities, Apple MDM (APNS) must be configured
  • Supervised devices have access to more profile options

Profile Types

WiFi Profiles

Configure wireless network connections on iOS devices:

  • Network Name (SSID) - The wireless network identifier
  • Security Type - Open, WEP, WPA/WPA2 Personal, WPA/WPA2 Enterprise, WPA3
  • Password - Pre-shared key for personal networks
  • Hidden Network - Connect to networks that don't broadcast their SSID
  • Auto-Join - Automatically connect when in range
  • Proxy Settings - Configure proxy for the network

Enterprise WiFi options:

  • EAP Type - PEAP, EAP-TLS, EAP-TTLS, EAP-FAST, LEAP
  • Identity - Username for authentication
  • Certificates - Client certificates for EAP-TLS
  • Trust - Trusted server certificates

VPN Profiles

Configure Virtual Private Network connections:

  • VPN Type - IKEv2, IPSec, L2TP
  • Server Address - VPN server hostname or IP
  • Remote Identifier - Server identity for IKEv2
  • Local Identifier - Client identity
  • Authentication - Certificate, username/password, or shared secret
  • On-Demand Rules - Auto-connect based on network conditions

Passcode Policies

Enforce device passcode requirements:

  • Require Passcode - Force users to set a passcode
  • Minimum Length - Required passcode length (4-16 digits/characters)
  • Require Alphanumeric - Require letters and numbers
  • Minimum Complex Characters - Required special characters
  • Maximum Passcode Age - Days before passcode expires
  • Passcode History - Number of previous passcodes that cannot be reused
  • Maximum Failed Attempts - Wipe device after failed attempts
  • Maximum Grace Period - Time allowed before passcode required after lock
  • Maximum Inactivity - Auto-lock after inactivity period

Restrictions

Control device features and capabilities. Restrictions vary based on supervision status.

Available on all devices:

  • Allow Camera - Enable or disable camera
  • Allow FaceTime - Enable or disable FaceTime
  • Allow Screen Capture - Allow screenshots and screen recording
  • Allow iCloud Backup - Allow backups to iCloud
  • Allow iCloud Photo Library - Allow photo sync to iCloud

Supervised devices only:

  • Allow App Installation - Control App Store access
  • Allow App Removal - Prevent deleting apps
  • Allow AirDrop - Control AirDrop sharing
  • Allow Bluetooth Modification - Prevent changing Bluetooth settings
  • Allow VPN Creation - Prevent creating VPN configurations
  • Allow Device Name Change - Prevent renaming the device
  • Allow Wallpaper Change - Prevent changing wallpaper
  • Allow Passcode Change - Prevent changing passcode
  • Force WiFi On - Prevent disabling WiFi

Supervised vs Unsupervised

Supervised Devices

Supervised devices are typically organisation-owned and set up through Apple Business Manager (ABM) or Apple Configurator. They have access to all profile types and restrictions.

Unsupervised Devices

Unsupervised devices (BYOD) have limited profile capabilities. Many restrictions are not available on unsupervised devices.

Creating a Profile

  1. Navigate to Mobile Devices > Profiles
  2. Click Create Profile
  3. Select iOS as the platform
  4. Choose the profile type (WiFi, VPN, Passcode, or Restrictions)
  5. Enter a name and description for the profile
  6. Configure the profile settings
  7. Set targeting rules or select assignment groups
  8. Click Create

Targeting Devices

Profiles can be targeted using:

Direct Targeting Rules

  • All Devices - Deploy to all iOS devices
  • iOS Versions - Target specific iOS versions
  • Supervision Status - Supervised or Unsupervised only
  • Device Types - iPhone, iPad, or both
  • Specific Devices - Select individual devices
  • Exclude Devices - Exclude specific devices

Assignment Groups

Use assignment groups for reusable targeting and staged deployments.

Deploying Profiles

When APNS is configured, profiles are pushed to devices via MDM commands. Devices receive profiles immediately when online.

ZSync App Deployment

Without APNS, profiles are delivered when the user opens the ZSync app and syncs. The user must approve the profile installation.

Profile Installation

When a profile is deployed:

  1. Device receives the profile (via MDM push or ZSync sync)
  2. For MDM: Profile is installed automatically (supervised) or user is prompted (unsupervised)
  3. For ZSync: User is prompted to install the profile in Settings
  4. Profile settings take effect immediately upon installation

Viewing Profile Status

Check deployment status in the profile details:

  • Pending - Awaiting delivery to device
  • Installed - Successfully installed on device
  • Failed - Installation failed (check failure reason)

Updating Profiles

To update an iOS profile:

  1. Edit the profile settings
  2. Save the changes
  3. Re-deploy to push the updated profile to devices

The new profile version replaces the old one on devices.

Removing Profiles

Profiles can be removed:

  • Via MDM - Send remove command (supervised devices)
  • Via ZSync - Queue remove action
  • Manually - User removes via Settings > General > Profiles (if allowed)

Best Practices

  • Use APNS for reliable profile deployment
  • Test profiles on supervised test devices first
  • Document WiFi credentials securely outside of ZEM Cloud
  • Use descriptive profile names (e.g., "Corporate WiFi - HQ Building")
  • Consider supervision requirements when planning profile capabilities
  • Use Assignment Groups for organised deployments across environments

Troubleshooting

Profile Not Installing

  • Check if APNS is configured for MDM push
  • Verify the device is online and connected
  • For unsupervised devices, user must approve installation
  • Check profile payload for configuration errors

Profile Settings Not Applied

  • Some restrictions require supervised mode
  • Verify the profile status shows "Installed"
  • Check for conflicting profiles with opposite settings
  • Restart the device to ensure settings take effect